Posted
by
Unknown Lamer
on Wednesday November 02, 2011 @09:55AM
from the windows-industrial-control-edition dept.

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

From the FA:
"The installer, discovered by researchers at the Hungarian lab that first found Duqu, is a Word document that, once opened, exploits the kernel flaw and then installs the Duqu code on the machine. "

The answer, my dear Watson, is that it is much easier to get people to click on a.doc email attachment, than it is to get them to click on a.exe

By root you mean Administrator privileges and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

I wonder if this bug is XP only or XP/Vista/7. If it Vista/7, will UAC stop it?

This article is light on details and doesn't give Admins alot to work with. Microsoft generally will release KB articles describing the exploit and workaround/prevention methods to prevent it.

and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.

On XP, you are right, but I believe the XP marketshare is getting smaller every day.

Well if it needs root that pretty much leaves out Vista and 7, unless you have a user that is dumb enough to click yes on "Hey you didn't try to install anything but this (insert huge random number) wants to have admin rights, yes or no" which if they click yes you have worse problems. I'm also gonna assume that Office 2K10 does like 2K7 and by default disables scripting and running code unless you specifically enable it (since TFA is seriously light on any details more than "ZOMG weesa gonna die!") so that

The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions. If this was some undocumented API call in Word, then the exploited function might not validate inputs very well.

I'll be the first to admit, I don't really know much about Duqu in particular or what kernel exploit it used. In my head, I imagined a kernel function that took a LPSTR type input and didn't bother checking to see how long it was (classic buffer overflow). It's probably more complicated than that, but ultimately my bet is that the kernel did not sanitize userland inputs very well.

I guess undocumented API call on account of it being unknown. Most of the known API calls would probably have been poked and p

x86 ASM is horrible on the eyes, so I don't blame you for not wanting to really look at it. Most of my disassembly experience hacking comes from PowerPC (I hack Wii games as a hobby). PowerPC ASM is very easy to read.

However, I would imagine that the exploit should be pretty easy to see from just an ASM dump; it's probably written in ASM as it is, because a compiler wouldn't write good shellcode. Exploits themselves are not terribly complicated, it's the rest of the Duqu architecture that layers the tric

I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.

I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.

More like they actually have competition making them sweat a bit (no I'm not talking about the hypothetical year of the linux desktop, I'm talking about the actually approaching significant decline in use of the home PC). I still have to say I'm a bit nervous on them going after botnets directly, not because I don't want those scumbags shut down and/or put behind bars, but because corporations playing vigilantes in general is a bit nerve-wracking. What we approve for one company in one circumstance, is appr

I'm sorry, but anyone that lets their Windows / internal servers be contacted by arbitrary packets from the Internet, or their systems allow execution by ordinary users of (at the very minimum, unscanned) email attachments, deserves everything they get.

This isn't news now and wasn't back 20 years ago. If you have to do more than just in a "just-in-case" firewall rule into your network equipment that automatically blocks this particular attack from local users (and which should be impossible to execute dire

You did read the story correctly - right?You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.

STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.

Yeah, I'm afraid you're right and I don't like it. Antivirus programs now are an incredible PITA already - in many cases, they degrade the system more than do viruses. If this really is tick-tock in the security area, I dread to contemplate what "tock" the security companies will come up with in answer to this kind of thing.

I'm probably wrong, but I'd just assume that any modern malware would reach out from the infected machine to hit port 80 on some botnet controller machine. If your goal is to infect vast quantities of end-user PCs, you can bet almost all of them get through to port 80, even if just about everything else is blocked.

Clearly, you didn't read the article. The document attachment won't trigger your scanner, because it exploits an unpublicized kernel vulnerability. Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you. So unless you forbid people to get any and all.doc/.docx files from any source, you are vulnerable to something like this.

So... you do block all possible access to.docx files, right? Or maybe you need to realize that your 20 year old security rules that aren't 20 year

Does this apply to docx files, or just doc/docm files? The newer word version have removed macro functionality from the docx files, and require you to use docm files for any of that. 2007/2010 also refuse to run macros on any kind of files from non-trusted locations. Or is this an old-fashioned exploit that relies on a buffer overflow or such in a non-macro document?

"A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution."
It's an exploit embedded inside a Word document. You can't get more local then that.

Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.

It's called "innovation". Microsoft has it, other companies and groups don't. While Microsoft has been busily advancing the security flaw sciences over the life of the company, the Linux and *BSD teams still consider it a major breakthrough worth front-page news whenever they develop a rare, very-special-case privilege escalation bug under certain kernel options (and only if you made stupid decisions in your other programs). And while Apple is still struggling to come up with ways to relinquish root on t

Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

The selection of Word as an attack vector was probably influenced by a combination of...

Word is probably the number 1 application that most professionals open after the browser.

Word has the extra advantage that it's not received as much hardening as the browser.

Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.

The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.

Yea, during year 2006, Office in fact was a big target of zero-day attacks [zdnet.com], forcing MS to released Office 2003 SP3 in Sept 2007, and also MOICE around the same time which converts files to OOXML in a sandbox before opening it. Later MS introduced Office File Protection in Office 2010 and later backported this to 2003/2007 which validates Office binary formats before opening it.

You simply do not have any idea how software works, which is ironic considering you're calling them stupid. Please realize that ALL IO, be it console, gui or file goes through the kernel right?

Your super leet little Linux box works the same way.

All apps access the kernel API in order to function. Just starting a process is an API call. To actually do anything useful on a computer, you're talking to the kernel, its what arbitrates between all of your apps. Yes, you may have a window manager doing the lif

No app bug needed, most likely. I have no idea what the bug is, but it could be something like trying to save a file with a really creative filename, or otherwise coercing Word into calling whatever kernel API with your exploitive string, which is just normal data in the document from Word's point of view.

It's really not the apps job to police the kernel APIs - they had damn well better sanitize their own inputs (and normally do, of course).

Different worlds. I've never heard of a SQL-injection attack that worked with stored procedures, which is the better analogy here. If you're not religiously checking your inputs for validity, kernel programming is not the career for you.

It is important to note that probably no large operating system using currentdesign technology can withstand a determined and well-coordinated attack,and that most such documented penetrations have been remarkably easy.-- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20

Fortuantelty, all that scripting stuff is off by default in Office now. Unfortunatly, there are still companies that use the scripting nonsense (especially in Excel), so those users are used to clicking OK on the "enable scripting" pop-up.

Because of binary file formats, binary fonts, etc. All data is just data, including code. A is the same as \x41 which is the op code for INC EAX, for example. That's effectively a NOP as far as shell code is concerned, though. Others do other things, of course. It's the same reason you can do exploits in PDF or other file format attacks.

This is old news. Microsoft Office was probably the largest vector for computer virus infections in the mid 90s. VBA means that opening your document can pretty much do anything since it can hook into Win32 and 99% of users ran as administrators.

Nowadays, Windows users aren't admins by default, and there are some protections to prevent macros from being run without your permission, but all that stuff is still in there. Office has always been a de facto part of the OS because the only way Microsoft could

This kind of advice is classic. Its also pointless.This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.

This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).

The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.

The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

The only good answer (today) to rootkits is host-based scanning. Do everything on VMs, and do your AV from the host. Eventually that too will fall, but so far there aren't any credible "VM escape" attacks (there are some interesting beginnings), so you can keep the host safe, and a rootkit on the guest should present no real obstacle to the host. Sadly, there's not much to choose from to scan from a thin hypervisor yet.

Eventually, the only good answer will be to cryptographically lock down the host/hypev

Someone should mod you into oblivion for posting a PCWorld ad for Symantec, because that's all that article is. It even tells people to not only just install anti-malware, but to install Norton, and does not mention any other security companies at all.

I think you should take your uptight ass for a nice long walk, off of a very short pier. Some of you people seem to have learned nothing in school, except spelling and grammar. It was the only place where you ever earned any praise. Since you are in no way superior to anyone else in any other field, you feel the need to make your inane grammar nazi posts here, there, everywhere.

If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees/on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

The "From:" header can be anything, Anon, and it can be trivially set.

Plus, God knows, news from higher-ups never comes in an email itself. Instead, we get emails from the CEO's secretary that say "Please read the attached message from the CEO." I've gotten plenty, so yeah, if I got one, I'd open it. I might know it's a fake if there were grammatical errors or if the secretary's name (which I happen to know) wasn't on there, but otherwise, yeah, it wouldn't be unusual at all.

I don't read much of anything in my inbasket. I guess that makes me a high level employee?

COO: Did you read my email?Me: Well, hell no! I'm to busy to read mail.COO: Well, it said you'd be fired if you didn't read it.Me: Cool. Six months paid vacation, courtesy of the Employment Commission!COO: To hell with that, I have some shit jobs that need to be done before you go anywhere.Me: Well, Fuck you very much, Sir!

Since many web browsers are so helpful nowadays, you don't need to run any executables or open any attachments anymore. Browsers will usually help you by opening malware-ridden PDFs, Flash objects, as well as DOC files. You will not even know they were opened, since malware does not want to be loaded in the open and gets executed in a hidden windows or javascript objects.

I found that in my inbox a short while ago. At the time, the irony hit me like a sledgehammer - Sophos wants to make me aware of fake AV, Sophos should be warning me against downloading and installing random shit from the internet - so they invite me to download some random shit from the internet which may or may not be a legitimate random shit. Hmmmm. Yeah - I'l

so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.

Get a clue. You don't know what a "kernel vulnerability" is, judging by your rhetoric you seem to think only silly OS's like Windows have them and allow user-land processes to exploit them. Not true. [pcworld.com]

There are already OSX Trojans that are effective because Mac users feel invincible because they aren't running Windows. The fact that those exist is a warning to Apple that their market share is getting large enough to be targeted, but nobody seems to care about educating their users.

The most secure operating system in the world is no match for a user with the root password.

SE Linux does a good job of addressing this - of course it's not perfect, and chance are this particular strategy would work even in SE Linux. Note that the user doesn't need the root password for this one. Yuck.

Wait, what does the OS have to do with the mail client, or with what you can embed into what documents? I mean, if you want to discuss awful clients, we could talk about Mac Mail, or I could simply remind you that Outlook and Word are both available for OSX too and hardly count as MS OS features.

As for "random native code on the internet", Im pretty sure Safari et al support NPAPI plugins, which are essentially the same thing, and perhaps a little easier to install than an ActiveX program in IE9.

The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.